The Oregon State Capitol in Salem.

Jul 16 2020

Q&A: How Oregon Is Preparing to Secure the November Election

Officials in the Beaver State have been facilitating mail-in voting for decades but are not staying complacent when it comes to election security.

Editor's note: This is one of a series of Q&As StateTech has conducted with state election officials and cybersecurity experts on election security. To read our Q&A with Adam Clayton Powell III, the executive director of the University of Southern California’s Election Cybersecurity Initiative, click here. And to read our Q&A with Colorado Secretary of State Jena Griswold, click here

As the coronavirus pandemic has unfolded, there have been numerous calls from both state officials and nonprofit groups to increase the use of mail-in voting to protect public health and ensure citizens have access to voting if they do not want to vote in person at a polling station. 

Oregon is no stranger to voting by mail, since it became the first state to make mail-in ballots the standard voting system for elections back in 2000. Despite the lengthy experience the Beaver State has with voting by mail, the state isn’t taking any chances when it comes to election security. 

Recently, StateTech spoke with Peter Threlkel, director of information services for the Oregon Secretary of State, about the state’s approach to election cybersecurity, the lessons learned from the primary season and how the state is handling security amid the pandemic. 

STATETECH: How did the primary season unfold, and what lessons did Oregon learn from it? 

THRELKEL: We’d been watching what was going on in other states and we were thankful in Oregon that we’ve been using the paper ballots by mail for the last 20-plus years. So, a lot of things that were happening in other states, where you have the long lines at the polling place and you had the states trying to run expanding absentee ballot requests while still supporting all the places, that’s just not something that Oregon has had to deal with for a generation now because we’ve had them vote by mail for so long. 

We were really able to avoid a lot of that. You really have to feel for those other states, trying to do that during the pandemic, and the voters as well. Here, you can use your ballot in the mail: You fill it out and drop it back in the mail. This year, the state provided return postage just to make it even easier for citizens to get the votes in. And for those who go into the counties, they’re a little bit more of a controlled environment because it’s just the county election staff coming in and opening up the ballots, checking the signatures and then counting the ballots, running them through the machine. 

We didn’t observe or see any issues this year here in Oregon. One of the main things that we’ve tried to pay attention to and watch for is the risk of ransomware. And that’s always a concern. If one of the offices or the counties or some area were to get their computers locked up, that would be a struggle.

STATETECH: What is the most pressing worry or priority for you when it comes to election security?

THRELKEL: That’s the area where we want to make sure that we’ve got our backups. Those are done on a frequent basis. Because, when it comes to ransomware, what we see is that it’s the human element. That is, a lot of times, where your exposure is. 

It’s pretty easy for somebody to click on a link in an email, and all of a sudden you’ve got malware spreading across a network. And if that gets into an election system, that would be especially troublesome. 

One of the things that we’ve been working on is that we’ve been partnering this year with the CISA at [the Department of] Homeland Security and the Elections Infrastructure Information Sharing and Analysis Center. We’re in the process of deploying Albert sensors at each of the 36 counties. We have that at the state level and have for a couple of years. And, hopefully, here in the next few weeks, we’ll have that deployed out to all 36 counties. We’re also participating in a pilot program for endpoint detection and response. We have that installed at the secretary of state in all of our election infrastructure, and across our whole network. But we’re also looking to get that deployed out to the counties as well. Another thing is that the EI-ISAC has just come out with a malicious domain blocking and reporting system. We want to get signed up for that as well. With multifactor authentication, that just truly adds additional layers of security, on top of all the things that we do as a matter of course. 

STATETECH: The endpoint protection system that you mentioned, is that something that is provided by EI-ISAC or is that something else?

THRELKEL: It was a grant from Homeland Security through the Center for Internet Security in partnership with the ISAC. They’re making it available to all 50 states that want to have it rolled out by the end of the summer. We signed on as an early adopter, because we saw the value in having that type of a system in place. We wanted to be one of the first out of the gate, and so far we are pretty pleased with it.

MORE FROM STATETECH: Deepfake videos can increase chaos through misinformation; learn how to spot them.

STATETECH: How do you prioritize election security threats? 

THRELKEL: I don’t know that you can really just pick one area and focus on that. I think you have to have a very broad-based approach, and security’s about being hypervigilant. It’s just this continuing evolution: How do we continue to get better every day and make sure that our patches and our systems are up to date, that we’re monitoring the systems, that we have incident management tools in place and also training for staff. 

We’re doing our annual training of the agency right now. We’ve done phishing campaigns with agency staff as well as county election staff in this past year. And we’ll continue to do that just to make sure that people are on their toes and watching for any type of vulnerability or risk that’s out there. 

STATETECH: How would you compare the level of coordination between the states and federal officials on election security with where it was four years ago?

THRELKEL: Well, I wasn’t in this role four years ago. I was with the secretary of state’s office, but I was running the corporate division at that time. Just in the past year, I’ve switched over to the technology side of the house. I’ve become a little bit more familiar with what’s going on with the election security side of things. But definitely, based on everything that I’ve heard and what I’ve seen, there’s much more of a focus around collaboration and partnerships between the states and the feds, and a lot of it really is driven by those experiences in 2016. We’re participating in monthly briefings with the EI-ISAC. We also have partnered with DHS, the FBI and the Department of Justice. Last year, we did a tabletop exercise that the feds had developed, and we did that with county election staff on cybersecurity. Earlier this year, we held a joint elections security symposium with DHS, the FBI and county officials to address election security issues. A lot of that was really about having these strong partnerships in place to where we’re communicating all the time and sharing information and also looking out for each other so that we’re not caught off guard or unaware.

MORE FROM STATETECH: Explore this infographic to discover how to protect voter information.

STATETECH: As more states that don’t have Oregon’s history with voting by mail start ramping up the infrastructure to make that possible for November, what do you think they should keep in mind when it comes to security?

THRELKEL: I think it’s along the same lines of what you would do in general: trying to secure your systems and your networks and your applications. It’s that common-sense approach, making sure that systems are updated and patched and that you don’t leave vulnerabilities out there. That’s hard to do if you’ve got multiple priorities and reduced staff — especially now, where a lot of states are looking at having budget reductions — and you’re still trying to maintain and keep everything. But I would say, when it really comes down to voting by mail, I think there’s an advantage to just really committing to that process and getting out of the in-person polling places, because it is a little bit more difficult. It’s harder to secure and maintain both systems effectively. So, if you can really just kind of narrow it down — like Oregon has done, like the state of Washington has done, Colorado — so that you just have the one process that you’re supporting and maintaining, it cuts a lot of those exposure points down. Every polling place with voting machines, those add additional risks. You can really focus your delivery system if you’re doing 100 percent of voting by mail. 

STATETECH: Is there anything that keeps you up at night when it comes to election security?

THRELKEL: Misinformation is one of the things that we’ve really seen as one of the biggest concerns that came out of 2016, as well as right now. It’s pretty easy for someone to create misinformation and then spread it on social media. We are starting to see the more responsible social media companies taking proactive steps, and I think that continues to evolve. There’s just so much more of a role for how people interact online with each other and on those social media platforms that maybe didn’t exist to a great extent 10 or 20 years ago.

That’s more how things are now, but that area has to evolve. And I think that it’s difficult for a campaign or a state to really be highly effective at combating a lot of misinformation. So that’s really where I think the impetus goes back on those social media companies to really step up and recognize how their systems and tools are being used and misused, especially when it comes to elections and election security and misinformation around that. 

The other thing that I find challenging is just the rapid and increasing pace of technology, and the speed at which technology becomes obsolete. What we’re finding is that the replacement cycles and the upgrade cycles are just getting shorter and shorter. We’re just in this constant learning mode for our staff with new technology, how we operate, how we secure our systems.

Getty Images / svetlana57